You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

About Organizational Identity Sources

Organizational Identity Sources allow for the creation of Organizational Identities linked to an external source or "system of record". These sources can include LDAP servers, REST APIs, SQL databases, flat files, and so on. Custom plugins can be written for arbitrary sources.

Organizational Identity Sources can only be defined on a per-CO basis. If org identities are pooled, Organizational Identity Sources are not supported. Once configured, Organizational Identities can be created from these sources in several ways:

  • Manually, via People >> Organizational Identities >> Add New Org Identity From Source or by using the Search button from the list of Organizational Identity Sources.
  • Using an Enrollment Flow, via Enrollment Sources.
  • Via a batch process. (Not yet implemented; CO-76)

Organizational Identity Sources can be linked to Registry Pipelines in order to automatically create CO Person records.

(warning) When an Organizational Identity is created from a source, it is linked to that source and cannot be manually edited, not even by an administrator. However, it can be manually resynced to pull changes from the source.

(warning) If the corresponding record is removed from the Organizational Identity Source, on the next sync the Org Identity will be set to status Removed, but the Org Identity itself will remain available – it is not deleted.

(warning) If Attribute Enumerations are enabled for any attributes, permitted values for those attributes are constrained to the enumerated options. Source records containing a non-enumerated value will fail to process correctly.

Organizational Identity Sources are available in COmanage Registry v2.0.0 and later.

Terminology

The terminology used by Registry can be a little confusing when looking at person records related to Organizational Identity Sources.

  • View Organizational Identity: Retrieves the current Org Identity operational record used by Registry in normal operations.
  • View Organizational Identity Source: Performs a live query against the Org Identity Source backend and retrieves the current data as known to the backend. ie: This is the source's current data.
  • View Organizational Identity Source Record: Retrieves the last data retrieved from the backend and used to create or update an Org Identity. ie: This is Registry's copy of the source data.
  • Add New Org Identity From Source: Create a new Org Identity based on the Org Identity Source's data. In addition, this will create an Organizational Identity Source Record.
  • Resync Org Identity From Source: Update the Org Identity and Organizational Identity Source Record using the latest (current) data available from the Org Identity Source.
  • Configuration >> Organizational Identity Sources: Manage the plugins used to define and query one or more Org Identity Sources.

Sync Modes

 When called from Registry Job Shell, Organizational Identity Sources can be configured in the following sync modes:

  • Full: Create new Org Identities for any record in the Organizational Identity Source that does not yet have one, and update (or delete, if appropriate) existing records.
  • Query: Similar to Enrollment Sources Search mode, query the Organizational Identity Source for any records matching verified email addresses of all Org Identities, looking for new matching records to link. Also update (or delete, if appropriate) existing records.
    • (warning) Query mode should only be used for Organizational Identity Sources attached to a Registry Pipeline configured for email address-based matching. Otherwise, linking to existing CO People may not happen correctly.
    • In Query mode, if a Organizational Identity Source is queried for an email address and the Source returns a record with a different email address (eg: the person changed their email address in the other system), by default a new Org Identity (and probably CO Person) will be created. This is because Registry has not confirmed the alternate email address and cannot trust the Organizational Identity Source asserting a record linkage. This corresponds to the Email Mismatch Mode of Create New Org Identity. Alternately, Email Mismatch Mode can be set to Ignore, in which case no action is taken.
    • In Query mode, by default the Organizational Identity Source will be re-queried for all email addresses, even those already attached to an Org Identity associated with the Source. This is to allow for the checking of additional records associated with the same email address. However, this can also create a large number of extra queries, if the Source is known not to create such records (or if such records are not of interest). To disable this behavior, set (tick the box for) Do Not Query for Known Email Addresses.
  • Update: Update and delete (if appropriate) records that are already synced to Org Identities.
  • Manual: Do not automatically sync records. Currently, manual syncing is only available on an individual record basis. (CO-1309)

(warning) Not all Organizational Identity Source plugins support all sync modes. Check the documentation for any limitations.

Syncing via Job Shell can be disabled on a per-CO basis via CO Settings >> Disable Org Identity Source Sync.

Linking a Record to a CO Person

By default, creating an Org Identity (via Add New Org Identity From Source or any other mechanism) will not create a CO Person.

If the Org Identity Source is attached to a Pipeline, then that Pipeline will likely create a CO Person for the new Org Identity. If a Pipeline Match Strategy is configured, then the Pipeline may attach the new Org Identity to an existing CO Person if the match conditions are satisfied.

To manually link an Org Identity to an existing CO Person, there are two options:

  1. If no Pipeline is attached to the Org Identity Source, simply link the record manually.
  2. Define an Enrollment Flow. A typical configuration would be
    1. Authorization: CO Admin (or COU Admin)
    2. Identity Matching: Select
    3. Attach an appropriate Enrollment Source, in Select mode
    4. Do not define any Enrollment Attributes

Creating ePPNs

When syncing records from an Org Identity Source, Registry can automatically create an identifier of type ePPN to be injected into the Org Identity created from the Source. This can be useful for (eg) automatically calculating the ePPN of an IdP associated with the Source. There are two settings:

  • EPPN Identifier Type: The Identifier of this type as found in the Org Identity created from the Source will be used as the left-hand site of the newly created ePPN.
  • EPPN Suffix: The specified string will be used as the right-hand side of the newly created ePPN. Do not include the @.

An ePPN will not be generated if one is found in the Org Identity record created from the Source.

  • No labels